Опубликовано: 13 мая 2022
Источник: github
Github: Прошло ревью
CVSS4: 5.3
CVSS3: 6.1
Описание
Improper Neutralization of CRLF Sequences in urllib3 library for Python
In the urllib3 library through 1.24.2 for Python, CRLF injection is possible if the attacker controls the request parameter.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-11236
- https://github.com/urllib3/urllib3/issues/1553
- https://usn.ubuntu.com/3990-2
- https://usn.ubuntu.com/3990-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72
- https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.debian.org/debian-lts-announce/2019/06/msg00016.html
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2019-132.yaml
- https://github.com/advisories/GHSA-r64q-w8jr-g9qp
- https://access.redhat.com/errata/RHSA-2019:3590
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2019:2272
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
Пакеты
Наименование
urllib3
pip
Затронутые версииВерсия исправления
<= 1.24.2
1.24.3
Связанные уязвимости
CVSS3: 6.1
ubuntu
около 6 лет назад
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVSS3: 6.5
redhat
больше 6 лет назад
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVSS3: 6.1
nvd
около 6 лет назад
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVSS3: 6.1
debian
около 6 лет назад
In the urllib3 library through 1.24.1 for Python, CRLF injection is po ...